Feature #1224
closedAllow newlines in bpf filters in files specified by the -F flag
Description
Currently if you create a bpf filter as a file, the entire filter must be specified on a single line or it will not compile correctly. This can make managing complex filters somewhat unwieldy. I tried escaping the newline but that didn't work.
PM Updated by Peter Manev almost 12 years ago
I am not sure what do you mean.
I just did a blogpost about bpf filters -
http://www.pevma.blogspot.se/2014/06/suricata-idps-getting-best-out-of.html
This is the BPF that I used in a file (there are new lines in there) -
root@snif01:/var/log/suricata# cat /home/pmanev/test/bpf-filter ( (ip and port 20 or 21 or 22 or 25 or 110 or 161 or 443 or 445 or 587 or 6667) or ( ip and tcp dst port 80 or (ip and tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)))) or ((vlan and port 20 or 21 or 22 or 25 or 110 or 161 or 443 or 445 or 587 or 6667) or ( vlan and tcp dst port 80 or (vlan and tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))) ) root@snif01:/var/log/suricata#
and it worked fine in my case.
Is this the same issue or I misunderstood?
CN Updated by Cooper Nelson almost 12 years ago
It didn't work last time I tried it. As mentioned, it seems to work now so go ahead and close out the ticket.
PM Updated by Peter Manev almost 12 years ago
Before we do that - can we pinpoint what was the reason it did it run correctly the last time? Just to confirm if there is no corner case or something.
AH Updated by Andreas Herz over 10 years ago
- Status changed from New to Closed
No more input